Sven-Haegar Koch
2015-Apr-24 20:26 UTC
Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
Comments below On Fri, 24 Apr 2015, Guus Sliepen wrote:> On Thu, Apr 16, 2015 at 10:09:05PM +0200, Raimund Sacherer wrote: > > > At first I really like the idea of having 3 Daemons on the headquarter, one for each ISP. The firewall should forward the port 655 from each ISP's public IP Address to my internal server and to the ports 655, 656, 657 respectively > [...] > > My question now is, for every tinc daemon I need a tun or tap device, so how should the routing be done correctly? I have the VPN Network 10.69.0.0/11. > > > > Right now I have one tinc daemon and one tun0 device. I route the complete 10.96.0.0/11 to tun0. How do I have to proceed if I want this 10.96.0.0/11 be available from all 3 tinc-deamons (which from the internet-side will have every one it's own public IP with a different ISP)? > > > > The idea would be that I: > > > > * do not have to care if a line goes down, remote offices just reconnect to one of the other lines > > * in the event of a severe degradation of a line I just stop the corresponding daemon, all remote offices which had used this internet line just reconnect to one of the others > > * do not really care to which ISP every remote office connects > > In this case, I think it's best if you do not add any routes in the > tinc-up script. So there, you just configure the address of the > interface, but don't supply a netmask: > > #!/bin/sh > ifconfig $INTERFACE 10.96.x.yWon't a netmask of 255.255.255.255 be better than not specifying any? Otherwise it falls back to old classful adressing and would assume 10.0.0.0/8 - which is clearly always wrong. # ifconfig eth2 10.96.3.4 # route -n |grep eth2 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth2 Or are tun devices different in this regard?> Then, assuming you run tinc in router Mode (the default), you should > create a script named "subnet-up" in the same directory as tinc-up, and > put this in it: > > #!/bin/sh > ip addr add $SUBNET dev $INTERFACE > > And a "subnet-down" script: > > #!/bin/sh > ip addr del $SUBNET dev $INTERFACEDon't you mean "ip route add/del" here?> This will cause tinc to automatically add and remove routing entries, > depending on which nodes are reachable. You will get multiple routing > entries for the same subnet but to different interfaces. One of them > will be chosen by the kernel based on the order of addition, but you > don't care about it so it's fine. If tinc detects that a node goes down, > the subnet-down script will remove the offending route, and the kernel > will then use another one. And if you manually stop a tincd its routes > will be removed as well. > >c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F.
Guus Sliepen
2015-Apr-24 20:35 UTC
Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
On Fri, Apr 24, 2015 at 10:26:18PM +0200, Sven-Haegar Koch wrote:> > #!/bin/sh > > ifconfig $INTERFACE 10.96.x.y > > Won't a netmask of 255.255.255.255 be better than not specifying any? > Otherwise it falls back to old classful adressing and would assume > 10.0.0.0/8 - which is clearly always wrong. [...] Or are tun devices > different in this regard?Hm, it seems that ifconfig indeed treats tun and tap differently, if you don't specify a netmask it applies a /32 for tun interfaces and a /8 for tap. Iproute is better I guess: #!/bin/sh ip addr add 10.96.x.y dev $INTERFACE ip link set dev $INTERFACE up> > Then, assuming you run tinc in router Mode (the default), you should > > create a script named "subnet-up" in the same directory as tinc-up, and > > put this in it: > > > > #!/bin/sh > > ip addr add $SUBNET dev $INTERFACE > > > > And a "subnet-down" script: > > > > #!/bin/sh > > ip addr del $SUBNET dev $INTERFACE > > Don't you mean "ip route add/del" here?Yes, thanks for correcting me. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150424/67e27feb/attachment-0001.sig>
Raimund Sacherer
2015-Apr-27 07:35 UTC
Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
Thank you very much Guus and Sven, that sounds indeed very exciting, can't wait to try it out. Best regards, Ray ----- Original Message -----> From: "Guus Sliepen" <guus at tinc-vpn.org> > To: tinc at tinc-vpn.org > Sent: Friday, April 24, 2015 10:35:48 PM > Subject: Re: Help needed with Tinc Setup on remote hosts and lots of ISPs / > Failover Problems between ISPs> On Fri, Apr 24, 2015 at 10:26:18PM +0200, Sven-Haegar Koch wrote:> > > #!/bin/sh > > > ifconfig $INTERFACE 10.96.x.y > > > > Won't a netmask of 255.255.255.255 be better than not specifying any? > > Otherwise it falls back to old classful adressing and would assume > > 10.0.0.0/8 - which is clearly always wrong. [...] Or are tun devices > > different in this regard?> Hm, it seems that ifconfig indeed treats tun and tap differently, if you > don't specify a netmask it applies a /32 for tun interfaces and a /8 for > tap.> Iproute is better I guess:> #!/bin/sh > ip addr add 10.96.x.y dev $INTERFACE > ip link set dev $INTERFACE up> > > Then, assuming you run tinc in router Mode (the default), you should > > > create a script named "subnet-up" in the same directory as tinc-up, and > > > put this in it: > > > > > > #!/bin/sh > > > ip addr add $SUBNET dev $INTERFACE > > > > > > And a "subnet-down" script: > > > > > > #!/bin/sh > > > ip addr del $SUBNET dev $INTERFACE > > > > Don't you mean "ip route add/del" here?> Yes, thanks for correcting me.> -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org>> _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc--
Possibly Parallel Threads
- Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
- Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
- Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
- Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs
- Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs